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Claims 

[d] 1. A method of managing operational risk for an organi- 
zation, the method comprising: 

identifying at least one failure mode for a function of the 
organization; 

identifying at least one cause and at least one effect for 
at least one of the at least one failure mode; 
acquiring ratings associated with the at least one cause 
and the at least one effect; 

permuting the at least one failure mode, the at least one 
cause, and the at least one effect to define at least two 
risk items; and 

producing a risk prioritization report of the at least two 
risk items based at least in part on the ratings associated 
with the at least one cause and the at least one effect. 

[c2] 2. The method of claim 1 further comprising: 

recording a mitigation plan associated with at least one 
of the at least two risk items in the risk prioritization re- 
port; and 

tracking implementation of the mitigation plan. 

[c3] 3. The method of claim 1 wherein the ratings further 
comprise: 



a severity rating and a response rating associated with 
each of the at least one effect; and 
an occurrence rating and a detection rating associated 
with each of the at least one cause. 

[c4] 4. The method of claim 3 wherein the producing of the 
risk prioritization report further comprises: 
calculating a criticality based on the severity rating and 
the occurrence rating; 

calculating a risk priority number based on the severity 
rating, the occurrence rating and the detection rating; 
and 

calculating an adjusted criticality based on the criticality, 
the severity rating, and the response rating. 

[c5] 5. The method of claim 4 further comprising: 

determining whether the at least one effect is related to 
at least one of a group consisting of compliance and 
strategic planning; 

wherein the producing of the risk prioritization report 
further comprises determining whether each of the at 
least two risk items represents at least one of a group 
consisting of a compliance related risk, a strategic plan- 
ning related risk, a hidden factory, and a tail event. 

[c6] 6. The method of claim 2 wherein the ratings further 
comprise: 



a severity rating and a response rating associated with 
each of the at least one effect; and 
an occurrence rating and a detection rating associated 
with each of the at least one cause. 

[c7] 7. The method of claim 6 wherein the producing of the 
risk prioritization report further comprises: 
calculating a criticality based on the severity rating and 
the occurrence rating; 

calculating a risk priority number based on the severity 
rating, the occurrence rating and the detection rating; 
and 

calculating an adjusted criticality based on the criticality, 
the severity rating, and the response rating. 

[c8] 8. The method of claim 7 further comprising: 

determining whether the at least one effect is related to 
at least one of a group consisting of compliance and 
strategic planning; 

wherein the producing of the risk prioritization report 
further comprises determining whether each of the at 
least two risk items represents at least one of a group 
consisting of a compliance related risk, a strategic plan- 
ning related risk, a hidden factory, and a tail event. 

[c9] 9. The method of claim 1 further comprising: 

acquiring failure mode likelihoods associated with the at 



least one failure mode for the function; and 

validating the ratings using the failure mode likelihoods. 

[do] 10. The method of claim 2 further comprising: 

acquiring failure mode likelihoods associated with the at 

least one failure mode for the function; and 

validating the ratings using the failure mode likelihoods. 

[c11] 11. The method of claim 3 further comprising: 

acquiring failure mode likelihoods associated with the at 

least one failure mode for the function; and 

validating the ratings using the failure mode likelihoods. 

[d2] 12. The method of claim 6 further comprising: 

acquiring failure mode likelihoods associated with the at 

least one failure mode for the function; and 

validating the ratings using the failure mode likelihoods. 

[d3] 13. The method of claim 1 further comprising validating 
the ratings using historical data. 

[d4] 14. The method of claim 3 further comprising validating 
the ratings using historical data. 

[d5] 15. The method of claim 6 further comprising validating 
the ratings using historical data. 

[d6] 16. The method of claim 12 further comprising validat- 
ing the ratings using historical data. 



[d7] 17. The method of claim 1 wherein the producing of the 
risk prioritization report further comprises quantifying at 
least some of the risk items based on financial data. 

[d8] 18. The method of claim 5 wherein the producing of the 
risk prioritization report further comprises quantifying at 
least some of the risk items based on financial data. 

[d9] 19. The method of claim 8 wherein the producing of the 
risk prioritization report further comprises quantifying at 
least some of the risk items based on financial data. 

[c20] 20. The method of claim 12 wherein the producing of 
the risk prioritization report further comprises quantify- 
ing at least some of the risk items based on financial 
data. 

[c21] 21. The method of claim 1 further comprising determin- 
ing a stability ratio, wherein the stability ratio represents 
a comparison of one of a number of priority risk items 
and a number of non-priority risk items to a total num- 
ber of risk items. 

[c22] 22. The method of claim 2 wherein the method further 
comprises determining a stability ratio, wherein the sta- 
bility ratio represents a comparison of one of a number 
of priority risk items and a number of non-priority risk 



items to a total number of risk items and the tracking of 
the implementation of the mitigation plan further com- 
prises tracking a stability ratio. 

[c23] 23. A computer program product comprising a computer 
program for facilitating risk assessment and control for 
an organization, the computer program comprising: 
instructions for identifying failure modes for at least one 
function of the organization; 
instructions for identifying at least one cause and at 
least one effect for each failure mode; 
instructions for acquiring ratings associated with the at 
least one cause and the at least one effect; 
instructions for permuting the failure modes, the at least 
one cause, and the at least one effect to define risk 
items; and 

instructions for producing a risk prioritization report of 
the risk items based at least in part on the ratings asso- 
ciated with the at least one cause and the at least one 
effect for each failure mode. 

[c24] 24. The computer program product of claim 23 wherein 
the computer program further comprises: 
instructions for recording a mitigation plan associated 
with at least one of the risk items in the risk prioritiza- 
tion report; and 

instructions for tracking implementation of the mitiga- 



tion plan. 

[c25] 25. The computer program product of claim 23 wherein 
the ratings further comprise: 

a severity rating and a response rating associated with 
each of the at least one effect; and 
an occurrence rating and a detection rating associated 
with each of the at least one cause. 

[c26] 26. The computer program product of claim 25 wherein 
the instructions for producing the risk prioritization re- 
port further comprise: 

instructions for calculating a criticality based on the 
severity rating and the occurrence rating; 
instructions for calculating a risk priority number based 
on the severity rating, the occurrence rating and the de- 
tection rating; and 

instructions for calculating an adjusted criticality based 
on the criticality, the severity rating, and the response 
rating. 

[c27] 27. The computer program product of claim 26 wherein 
the computer program further comprises: 
instructions for determining whether the at least one ef- 
fect is related to at least one of a group consisting of 
compliance and strategic planning; 
wherein the instructions for producing of the risk priori- 



tization report further comprise instructions for deter- 
mining whether each of the risk items represents at least 
one of a group consisting of a compliance related risk, a 
strategic planning related risk, a hidden factory, and a 
tail event. 

[c28] 28. The computer program product of claim 24 wherein 
the ratings further comprise: 

a severity rating and a response rating associated with 
each of the at least one effect; and 
an occurrence rating and a detection rating associated 
with each of the at least one cause. 

[c29] 29. The computer program product of claim 28 wherein 
the instructions for producing the risk prioritization re- 
port further comprises: 

instructions for calculating a criticality based on the 
severity rating and the occurrence rating; 
instructions for calculating a risk priority number based 
on the severity rating, the occurrence rating and the de- 
tection rating; and 

instructions for calculating an adjusted criticality based 
on the criticality, the severity rating, and the response 
rating. 

[c30] 30. The computer program product of claim 29 wherein 
the computer program further comprises: 



instructions for determining whether the at least one ef- 
fect is related to at least one of a group consisting of 
compliance and strategic planning; 
wherein the instructions for producing of the risk priori- 
tization report further comprise instructions for deter- 
mining whether each of the risk items represents at least 
one of a group consisting of a compliance related risk, a 
strategic planning related risk, a hidden factory, and a 
tail event. 

[c31] 31. The computer program product of claim 23 wherein 
the computer program further comprises: 
instructions for acquiring failure mode likelihoods asso- 
ciated with the at least one failure mode for the function; 
and 

instructions for validating the ratings using the failure 
mode likelihoods. 

[c32] 32. The computer program product of claim 24 wherein 
the computer program further comprises: 
instructions for acquiring failure mode likelihoods asso- 
ciated with the at least one failure mode for the function; 
and 

instructions for validating the ratings using the failure 
mode likelihoods. 

[c33] 33. The computer program product of claim 25 wherein 



the computer program further comprises: 
instructions for acquiring failure mode likelihoods asso- 
ciated with the at least one failure mode for the function; 
and 

instructions for validating the ratings using the failure 
mode likelihoods. 

[c34] 34. The computer program product of claim 28 wherein 
the computer program further comprises: 
instructions for acquiring failure mode likelihoods asso- 
ciated with the at least one failure mode for the function; 
and 

instructions for validating the ratings using the failure 
mode likelihoods. 

[c35] 35. The computer program product of claim 23 wherein 
the computer program further comprises instructions for 
validating the ratings using historical data. 

[c36] 36. The computer program product of claim 25 wherein 
the computer program further comprises instructions for 
validating the ratings using historical data. 

[c37] 37. The computer program product of claim 28 wherein 
the computer program further comprises instructions for 
validating the ratings using historical data. 

[c38] 38. The computer program product of claim 34 wherein 



the computer program further comprises instructions for 
validating the ratings using historical data. 

[c39] 39. The computer program product of claim 23 wherein 
the instructions for producing the risk prioritization re- 
port further comprise instructions for quantifying at least 
some of the risk items based on financial data. 

[c40] 40. The computer program product of claim 27 wherein 
the instructions for producing the risk prioritization re- 
port further comprise instructions for quantifying at least 
some of the risk items based on financial data. 

[c41] 4i. The computer program product of claim 30 wherein 
the instructions for producing the risk prioritization re- 
port further comprise instructions for quantifying at least 
some of the risk items based on financial data. 

[c42] 42. The computer program product of claim 34 wherein 
the instructions for producing the risk prioritization re- 
port further comprise instructions for quantifying at least 
some of the risk items based on financial data. 

[c43] 43. The computer program product of claim 23 wherein 
the computer program further comprises instructions for 
determining a stability ratio, wherein the stability ratio 
represents a comparison of one of a number of priority 
risk items and a number of non-priority risk items to a 



total number of risk items. 



[c44] 44. The computer program product of claim 24 wherein 
the computer program further comprises instructions for 
determining a stability ratio, wherein the stability ratio 
represents a comparison of one of a number of priority 
risk items and a number of non-priority risk items to a 
total number of risk items and the instructions for track- 
ing the implementation of the mitigation plan further 
comprise instructions for tracking a stability ratio. 

[c45] 45. Apparatus for facilitating risk management for an or- 
ganization, the apparatus comprising: 
means for identifying failure modes for at least one 
function of the organization; 

means for identifying at least one cause and at least one 
effect for each failure mode; 

means for acquiring ratings associated with the at least 

one cause and the at least one effect; 

means for permuting the failure modes, the at least one 

cause, and the at least one effect to define risk items; 

and 

means for producing a risk prioritization report of the 
risk items based at least in part on the ratings associated 
with the at least one cause and the at least one effect for 
each failure mode. 



[c46] 46. The apparatus of claim 45 further comprising: 

means for recording a mitigation plan associated with at 
least one of the risk items in the risk prioritization re- 
port; and 

means for tracking implementation of the mitigation 
plan. 

[c47] 47. The apparatus of claim 45 further comprising: 

means for acquiring failure mode likelihoods associated 
with the at least one failure mode for the function; and 
means for validating the ratings using the failure mode 
likelihoods. 

[c48] 48. The apparatus of claim 46 further comprising: 

means for acquiring failure mode likelihoods associated 
with the at least one failure mode for the function; and 
means for validating the ratings using the failure mode 
likelihoods. 

[c49] 49. The apparatus of claim 45 further comprising means 
for validating the ratings using historical data. 

[c50] 50. The apparatus of claim 46 further comprising means 
for validating the ratings using historical data. 

[c51] 51. The apparatus of claim 47 further comprising means 
for validating the ratings using historical data. 



[c52] 52. The apparatus of claim 48 further comprising means 
for validating the ratings using historical data. 

[c53] 53. The apparatus of claim 45 further comprising means 
for determining a stability ratio, wherein the stability ra- 
tio represents a comparison of one of a number of prior- 
ity risk items and a number of non-priority risk items to 
a total number of risk items. 

[c54] 54. a system for facilitating risk assessment and control 
for an organization comprising: 
at least one analysis module to identify causes and ef- 
fects associated with failure modes of at least one func- 
tion of the organization and acquire ratings associated 
with the causes and effects; 

at least one data store operationally connected to at 
least some of the at least one analysis module to store 
failure modes, causes, effects, and ratings; and 
at least one calculation module operationally connected 
to the at least one data store to permute the failure 
modes, causes and effect to define risk items and pro- 
duce a risk prioritization report of the risk items based 
at least in part on the ratings. 

[c55] 55. The system of claim 54 wherein the ratings further 
comprise: 

a severity rating and a response rating associated with 



each effect; and 

an occurrence rating and a detection rating associated 
with each cause. 

[c56] 56. The system of claim 55 wherein the at least one cal- 
culation module is operable to calculate a criticality 
based on the severity rating and the occurrence rating, a 
risk priority number based on the severity rating, the oc- 
currence rating and the detection rating, and an adjusted 
criticality based on the criticality, the severity rating, and 
the response rating. 

[c57] 57. The system of claim 56 wherein the at least one cal- 
culation module is operable to determine whether each 
of the risk items represents at least one of a group con- 
sisting of a compliance related risk, a strategic planning 
related risk, a hidden factory, and a tail event. 

[c58] 58. The system of claim 54 further comprising a data 

validation module operationally connected to the at least 
one data store, the data validation module operable to 
validate ratings at least in part using historical data. 

[c59] 59. The system of claim 54 further comprising a risk 
data quantification module operationally connected to 
the at least one data store, the risk data quantification 
module operable to quantify ratings based at least in 



part on financial data. 

[c60] 60. The system of claim 55 further comprising a data 

validation module operationally connected to the at least 
one data store, the data validation module operable to 
validate ratings at least in part using historical data. 

[c61] 61. The system of claim 55 further comprising a risk 
data quantification module operationally connected to 
the at least one data store, the risk data quantification 
module operable to quantify ratings based at least in 
part on financial data. 

[c62] 62. The system of claim 56 further comprising a data 

validation module operationally connected to the at least 
one data store, the data validation module operable to 
validate ratings at least in part using historical data. 

[c63] 63. The system of claim 56 further comprising a risk 
data quantification module operationally connected to 
the at least one data store, the risk data quantification 
module operable to quantify ratings based at least in 
part on financial data. 

[c64] 64. The system of claim 57 further comprising a data 

validation module operationally connected to the at least 
one data store, the data validation module operable to 
validate ratings at least in part using historical data. 



[c65] 65. The system of claim 57 further comprising a risk 
data quantification module operationally connected to 
the at least one data store, the risk data quantification 
module operable to quantify ratings based at least in 
part on financial data. 

[c66] 66. The system of claim 54 further comprising an opera- 
tional interface to a risk meta-modeling system. 

[c67] 67. The system of claim 58 further comprising an opera- 
tional interface to a risk meta-modeling system. 

[c68] 68. The system of claim 59 further comprising an opera- 
tional interface to a risk meta-modeling system. 

[c69] 69. The system of claim 62 further comprising an opera- 
tional interface to a risk meta-modeling system. 

[c70] 70. The system of claim 63 further comprising an opera- 
tional interface to a risk meta-modeling system. 

[c71] 71. The system of claim 54 further comprising a stability 
analysis module operationally connected to the at least 
one calculation module to determine a stability ratio, 
wherein the stability ratio represents a comparison of 
one of a number of priority risk items and a number of 
non-priority risk items to a total number of risk items. 



